On April 9, 2019, the Office of the Privacy Commissioner of Canada (“OPC”) announced it would be holding a stakeholder consultation on transborder data flows. The consultation paper (“Consultation Paper”) proposes a reversal of the two-decades old existing policy on consent.
However, the Consultation Paper simply stated the OPC’s position and invited the public’s views, with no indication of why the OPC thought the change was necessary or what the key issues were. Shortly thereafter, the OPC then issued supplemental consultation paper (“Supplemental Consultation Paper”), in which the OPC provided its rationale for its about-face, and posed specific questions for stakeholders to consider. See our separate post providing an update on the Supplemental Consultation Paper here.
The Reversal
The existing Guidelines for Processing Personal Data Across Borders (“Guidelines”) were announced in 2009 and expressly state that (emphasis added):
A transfer for processing is a “use” of the information; it is not a disclosure. Assuming the information is being used for the purpose it was originally collected, additional consent for the transfer is not required.
The consultation document proposes the exact opposite (emphasis added):
In the absence of an applicable exception, the OPC’s view is that transfers for processing, including cross border transfers, require consent as they involve the disclosure of personal information from one organization to another.
Analysis
In its Guidelines, the OPC took the view that the Personal Information Protection and Electronic Documents Act (“PIPEDA”) does not require organizations to obtain an individual’s consent before transferring their personal information for processing, including processing abroad. So long as an organization is using the personal information for a purpose to which the individual has consented, and the transfer is being done in order to achieve that purpose, the international aspect does not trigger any further consent requirement. That position is consistent with the wording of PIPEDA since it – unlike, for example, the equivalent legislation in Quebec[1] or Alberta[2]– is silent on the issue of cross-border transfers.
The OPC’s proposed new approach appears to be wholesale reversal of its previous position. As the consultation document explains, “the OPC’s view is that transfers for processing, including cross border transfers, require consent as they involve the disclosure of personal information from one organization to another.” For such consent to be valid, “individuals must be provided with clear information about any disclosure to a third party, including instances when they are located in another country, and the associated risks.”
Nature of Consent
Nothing thus far suggests that the OPC will expect some special form of consent for transferring data abroad (contrast this with the very specific types of and language required under Canada’s Anti-Spam Legislation (CASL)).
Rather, it appears that PIPEDA’s generally-applicable requirements will continue to apply, however the Consultation Paper refers to the OPC’s recently released Guidelines for Obtaining Meaningful Consent (“Meaningful Consent Guidelines”) on how to obtain meaningful consent under PIPEDA, which sets a higher standard for obtaining consent. This heightened standard was reflected in the 2015 amendments made by the Digital Privacy Act SC 2015, c 32, which changed the PIPEDA requirement for “consent” into one for “valid consent”. In practical terms, the combination of the OPC’s proposed new approach to consent coupled with the requirements of the Meaningful Consent Guidelines likely means that organizations will at a minimum need to prepare disclosure as to where personal information will be transferred/disclosed and the implications and risk for the individual.
Whether express consent will be required for such transfers is an open question. The sensitivity of the personal information and the laws to which the data recipient is subject will be significant factors in assessing how detailed and explicit the consent would need to be under this proposed new regime. When less sensitive information is transferred to a jurisdiction with strong data protection laws, an organization may take the position that a broad statement about transfers abroad will suffice. Conversely, a business transferring sensitive information to a jurisdiction with fewer such protections may elect to provide more specific and detailed disclosure. Even the nature of the transferor’s business may be a factor, given what it could reveal about the individual. For example, transferring credit card data to the United States may raise relatively few concerns for an online clothing store, whereas it could be extremely sensitive for a cannabis retailer.
To provide valid consent under PIPEDA, individuals must be able to understand what they are consenting to; as the Consultation Paper puts it, valid consent requires “clear information about any disclosure to a third party, including instances when they are located in another country, and the associated risks.” At the same time, the consequences of transferring personal information abroad can be complex, particularly since they are in large part a function of the often-complicated legal regime applicable in the data recipient’s jurisdiction. As a result, when preparing consent documents in the proposed regime, organizations may need to identify the relevant provisions of the applicable foreign laws and then describe them in a manner that is both comprehensive and comprehensible. While it is likely that best practices will emerge over time, preparing disclosure that meets both those criteria will be challenging. It also imposes on organizations a significant compliance burden, and a need to understand foreign laws.
Unresolved Issues
Can individuals refuse to permit cross border transfers?: The Consultation Paper states:
“…individuals cannot dictate to an organization that it must design its operations in such a way that personal information must stay in Canada (data localisation), but organizations cannot dictate to individuals that their personal information will cross borders unless, with meaningful information, they consent to this.”
This suggests in cases where express consent is determined to be required (for instance, in the case of sensitive information such as financial or health information, or where the “reasonable expectations of the individual” are that their information is staying in Canada), an individual would in fact have the right to refuse consent. What then? How are current businesses expected to address decades worth of personal information being stored outside of Canada when the customers refuse consent? Re-engineer its processes and repatriate information to Canada? What if business are unable to do so – will they need to shut down customer accounts or no longer provide customer service? Will refusal to consent be a legitimate basis for denying service?
What is a reasonable expectation? The Consultation Paper states that “[w]hen determining the form of consent (express or implied), companies will need to consider the sensitivity of the information and individuals’ reasonable expectations.” In the Equifax Report of Findings, in which the OPC applied its reasoning to Equifax’s data sharing practices (while noting that Equifax had, in good faith, been following the existing Guidelines), the OPC found that consumers would have had a reasonable expectation that their information would stay in Canada based on, among other things, the fact that Equifax Canada says “Canada” right in its name (and was distinct from Equifax Inc.) and used a .ca domain name. This kind of analysis will create challenges for organizations that have attempted to have a uniquely Canadian brand or marketplace presence, but are foreign-based.
What is a “transborder dataflow”? Some provinces (notably British Columbia and Nova Scotia) already have data localization laws that apply to their public sectors. These provinces have provided very little in the way of information as to how to interpret their data localization requirements, in part because it extremely difficult to do so. Similar challenges will likely arise in interpreting whether data is “transborder”. Do these proposed consent requirements apply only to data at rest? Or also to data in transit?
What about data that transits only briefly through, say, the US? While most people would assume that when they access a U.S.-based company’s website, like Facebook, their information travels through the U.S. and back again. However, this also happens when Canadians access the websites of Canadian companies, banks and even government.
An IXP (Internet Exchange Point) is a hub where independent networks can interconnect directly to one another, providing high-bandwidth and low-latency access at a lower cost than traditional transit. Many Canadian Internet service providers currently employ north-to-south transit pipes to transmit data, relying on hubs in the United States, before the data returns to Canada. Most Canadian internet data travels through New York, Chicago, and Seattle, which are the three principal U.S. cities for Canadian carriers to hand off data to other carriers for delivery back to Canada. These cities are all are sites of U.S. National Security Agency listening posts, working under security and surveillance laws such as the USA PATRIOT Act, which grant Canadians no legal rights. Does this brief transit need to be disclosed? If so, a large number of Canadian business would be required to seek consent. How much detail is required? How is an organization expected to evaluate the risk of surveillance?
What about access? Does a “transborder dataflow” include access to information resident in Canada by persons resident elsewhere? Many customer service and tech support service models use this approach, and were designed this way specifically to avoid being encumbered with additional regulatory requirements. Has that all now changed?
What about related/affiliated entities? It appears that where the two entities are separate entities (even though affiliated), consent will be required under the proposed consent regime. Relying on the rationale in the Equifax Report of Findings (paras. 99-101), transfers between such affiliated but separate entities would, under the proposed consent regime, be considered disclosures – and thereby require consent, and possibly other protections (for instance, intercompany data transfer agreements, etc.).
International Trade Obligations
An interesting side issue is how the new approach would coexist alongside Canada’s international trade obligations (such as those under CETA, or the CUSMA which replaced NAFTA) , which generally prohibit restrictions on trade disguised as regulatory measures (generally called “non-tariff trade barriers”). While there is no reason to think that the OPC’s proposal is in fact motivated by a desire to protect Canadian data processors rather to tighten privacy protections, once the new policy is formally adopted it is possible (especially given the current view of the U.S. on this issue) that a foreign processer may challenge it before a trade tribunal.
The Consultation Paper contains only a single sentence on the issue from the OPC, no doubt intending to reassure, but falling far short: “We have considered the implications of our position in the context of cross-border trade and the importance of information flows for the purpose of facilitating commerce. In our view, this position is consistent with Canada’s international trade obligations.”
Inherent in the proposal of the OPC is a degree of xenophobia – it assumes that the mere fact personal information is transferred outside Canada, in and of itself, creates “risk”. Arguably, given the number of mutual cooperation treaties, memoranda of understanding, treaties, international intelligence sharing obligations (such as Five Eyes), and domestic legislation of extraterritorial application (for instance, the US CLOUD Act), there is no more risk to personal information outside Canada than already exists within Canada.
Takeaways for Business
The consultation period remains open until June 4, 2019. Once it is complete, the OPC will likely publish updated guidance (including updating the Meaning Consent Guidelines). No time frame has been given for this. Organizations that deal with foreign (or domestic) data processors may wish to consider submitting comments for the OPC’s consideration, and in any event would do well to keep close eye on the consultation process and subsequent developments in this regard.
In anticipation of likely change, organizations should be taking steps to assess their exposure on this issue, and begin mapping their data flows, as well as reviewing their consent language and processes. Organizations transferring personal information to affiliates should review if they have intercompany agreements in place or other infrastructure that supports a defensible transfer.
For more information about Denton’s data expertise and how we can help, please see our Transformative Technologies and Data Strategy page and our unique Dentons Data suite of data solutions for every business, including data mapping, contractual review, and consent benchmarking.
[1] The Act respecting the protection of personal information in the private sector at section 17.
[2] The Personal Information Protection Act, SA 2003, c P-6.5 at section 13.1.
